SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Tools and Lists, Bugs, and Web 2.0 for Packet Ninjas

A variety of items this week, including news of the first successful prosecution using memory forensics, several tool updates, a Web 2.0 site for packet ninjas, bugs (the tiny biological kind) for forensics, and even forensics for mortgage refinancing. I've included Twitter handles in the form (@TwitterHandle) where applicable.


  • Tableau (@tableauforensic), maker of write-blocker and duplicating hardware and software, has initiated a video series to update viewers on info about their products and items of general interest. The first entry concerns their firmware update tool. The Tableau T35e write blocker is provided as part of the SANS SIFT Essentials kit in FOR408, and this firmware update tool will be useful for keeping that hardware current.
  • TableauSoftware (@tableau) (unrelated to the company above as far as I can tell) has released a nifty browser-based data visualization package. There is a student edition available, something we should see more often!
  • Lance Mueller is continuing his stream of useful EnScripts, providing a proof of concept script to combine EnCase and F-Secure's Enterprise Edition to create a tool for network forensics and E-Discovery.
  • Vere Software has released V1.9 of their WebCase evidence collection software, which incorporates 64-bit capability and both full page and HTML source code capture.
  • For those needing to analyze packet captures for network forensics (or other reasons) Mu Dynamics (@mudynamics) has established Pcapr, a social networking site for packet ninjas to share captures. Richard Betjlich (@taosecurity) has a nice review of the site in his Traffic Talk column.
  • This is not new, but in answer to a common question "What should I carry in a forensics/incident response/evidence acquisition kit?", David Kovar (@dckovar) has a pretty thorough list.
  • The development team for the Italian GNU/Linux live forensics oriented distro CAINE is hard at work on V2.0.
  • The French firm ArxSys has released their Digital Forensics Framework, a modular, multiplatform, scriptable environment with GUI.

Good Reads:

  • The network forensics power team of Sherri Davidoff and Jonathan Ham (@jhamcorp) have posted the winners of Puzzle #3. There are some great solution writeups, and some awesome tools written by the finalists!
  • Good viewing and listening - Tom Cross's BlackHat talk on "Exploiting Lawful Intercept to Wiretap the Internet" has been posted on SecurityTube. Interesting implications for network forensics.
  • Russ Klanke (@pensource) has published a huge list of links to articles and other resources at this meta-meta-link.
  • Dan O'Day (@digitoll) has established an online community for digital forensics professionals. A recent entry compared Mac and Windows forensics artifacts. Some interesting info for those new to Mac forensics.
  • Harlan Carvey (@keydet89) has a nice writeup on the importance of timelines, and a somewhat depressing list of all the things that might be included, in his blog. Great stuff there, and worth adding to your RSS reader if it's not there already.
  • Lenny Zeltser (@lennyzeltser) has some useful cheatsheets for analyzing malicious Office and pdf documents.
  • Gary Kessler has recently updated his list of file signatures (magic numbers).


  • Jesse Kornblum published info about the first successful prosecution based entirely on memory forensics. More support for acquiring volatile memory as a standard practice, even if you're not sure what you can do with it immediately. In this case, it looks like the memory image sat for several years before the investigator found a technique to analyze it.
  • The Security Focus news portal is shutting down.
  • "Forensics" is now being used by home refinance brokers to promote their services. The idea is that forensic accounting analysis will show mistakes in most loans, and those mistakes can be used to encourage lenders to refinance under more favorable terms. Editorial comment is withheld on this one; a Twitter or Google search will turn up numerous examples.
  • No technical innovations here, but MSNBC has a quick story about how forensics was used to track a school shooter threat. Good to see public exposure for the value and need for forensics in LE.
  • A different sort of computer forensics - researchers have begun development of a technique which could be used to link DNA from keyboards and mice to the users of those devices. No word yet whether private investigator licensing will require expertise in DNA sequencing.
  • Microsoft has published the format of Outlook Personal Folder (.pst) files. Can parsing tools be far behind?


  • Whether this is levity or just a sad sign of the times, maker of mobile phone spy software, FlexiSpy is attempting to exploit the publicity about Tiger Woods to promote their antiforensics phone software.
  • For a real funny one - 10 signs that you work in computer forensics.

Coming Events:

Digital Forensics Case Leads for 20100318 was compiled by G W Ray Davidson, PhD, CISSP, GCFA, etc. Ray is Assistant Professor of Computer Information Technology at Purdue University Calumet, and principal at Vigil Inc., a consulting firm specializing in incident response and forensics. Follow him on Twitter at @RayDavidson.